# Based on https://github.com/defunkt/unicorn/blob/master/examples/nginx.conf

upstream unicorn_<%= application_basename %> {
  # fail_timeout=0 means we always retry an upstream even if it failed
  # to return a good HTTP response (in case the Unicorn master nukes a
  # single worker for timing out).
  server unix:/tmp/unicorn.<%= application_basename %>.sock fail_timeout=0;
}

<% [80, 443].each do |port| %>

  <% fetch(:mb_nginx_redirect_hosts).each do |orig, desired| %>
    server {
      listen <%= port %>;
      server_name <%= orig %>;
      return 301 <%= fetch(:mb_nginx_force_https) ? "https" : "$scheme" %>://<%= desired %>$request_uri;
    }
  <% end %>

  server {
    listen <%= port %> <%= "spdy" if port == 443 %> default deferred; # for Linux

    <% if port == 80 && fetch(:mb_nginx_force_https) %>
      rewrite ^(.*) https://$http_host$1 permanent;
    <% else %>

      client_max_body_size 4G;
      server_name _;

      # ~2 seconds is often enough for most folks to parse HTML/CSS and
      # retrieve needed images/icons/frames, connections are cheap in
      # nginx so increasing this is generally safe...
      keepalive_timeout 5;

      # path for static files
      root <%= current_path %>/public;

      # Capistrano `deploy:web:disable` support
      if (-f $document_root/system/maintenance.html) {
        return 503;
      }
      error_page 503 @maintenance;
      location @maintenance {
        rewrite  ^(.*)$  /system/maintenance.html last;
        break;
      }

      <% if port == 443 %>
        ssl on;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_dhparam /etc/ssl/dhparams.pem;
        ssl_certificate /etc/ssl/<%= application_basename %>.crt;
        ssl_certificate_key /etc/ssl/<%= application_basename %>.key;

        <% if fetch(:mb_nginx_force_https) %>
          add_header Strict-Transport-Security "max-age=631138519";
        <% end %>
      <% end %>

      # Far-future expires for fingerprinted assets
      location ~ "/<%= fetch(:assets_prefix, "assets") %>/.*-[0-9a-f]{32}.*" {
        gzip_static on;
        expires max;
        add_header Cache-Control public;
      }

      # Gzip for all assets
      location ~ ^/(<%= fetch(:assets_prefix, "assets") %>)/ {
        gzip_static on;
        break;
      }

      # Internal-only URI for sending files with X-Accel-Redirect from within
      # a release of the Rails app. See also corresponding proxy_set_header in
      # @unicorn config below.
      location /__send_file_accel {
        internal;
        alias <%= fetch(:deploy_to) %>/releases;
      }

      include /etc/nginx/<%= application_basename%>-locations/*;

      # Prefer to serve static files directly from nginx to avoid unnecessary
      # data copies from the application server.
      try_files $uri/index.html $uri @unicorn;

      location @unicorn {
        # an HTTP header important enough to have its own Wikipedia entry:
        #   http://en.wikipedia.org/wiki/X-Forwarded-For
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # this helps Rack set the proper URL scheme for doing HTTPS redirects:
        proxy_set_header X-Forwarded-Proto $scheme;

        # pass the Host: header from the client right along so redirects
        # can be set properly within the Rack application
        proxy_set_header Host $http_host;

        # we don't want nginx trying to do something clever with
        # redirects, we set the Host: header above already.
        proxy_redirect off;

        # send_file support
        proxy_set_header X-Sendfile-Type X-Accel-Redirect;
        proxy_set_header X-Accel-Mapping <%= fetch(:deploy_to) %>/releases/=/__send_file_accel/;

        # enable caching (honors cache-control headers sent by Rails)
        # lock and use_stale help prevent a cache stampede
        proxy_cache default;
        proxy_cache_lock on;
        proxy_cache_use_stale updating;
        add_header X-Cache-Status $upstream_cache_status;

        proxy_pass http://unicorn_<%= application_basename %>;
      }

      # Rails error pages
      error_page 500 502 503 504 /500.html;
      location = /500.html {
        root <%= current_path %>/public;
      }
    <% end %>
  }
<% end %>
